After Rewrites, Google Wallet Still Has Holes

itwbennett writes "A report from viaForensics makes clear that, despite efforts by Google to tighten up security after a poor evaluation in December, Google Wallet still stores data in too many places and could make it available too easily to be a secure way to make purchases using smartphones."

Re:Slashdot is dead

[SJHillman]

If you don't like it, why are you still here? I may not agree with Slashdot's spin on many stories, but it's still a great aggregation site and the commentary is pretty good if you ignore all of the morons like you. The ability to form your own opinion and present it in a non-troll-like manner still seems to be valued here by a decent majority even if it goes against the prevailing bias.

Re:Slashdot is dead

[masternerdguy]

I like this place for the discussion - not the news.

Re:Slashdot is dead

[Anonymous Coward]

You only get pro-Google

At least paste your tripe in an article that's actually pro google nitwit.

Could have been done right...

[VoodooTrucker]

You don't even need a secure area on the smart phone. You could put a thumbprint reader on the phone, then generate a hash from the thumbprint, then use that hash to generate a public/private key pair, then encrypt the credit card details with the details with the public key. The phone would never have to store the private key at all. That is just one of many ideas that would help make this secure. Among others: 1. Require a thumbprint *and* a PIN code 2. Have a uber-long password to reset things in case the thumprint or PIN don't work 3. Have a website to blacklist lost or stolen phones, not just some obscure phone number 4. When talking to other NFC equipped terminals, don't send the credit card data. Have the phone sign a "transaction receipt" with your private key. This would prevent replay attacks and no one would ever even have you card number 5. Create a seperate pay-pal like account that users could put limited funds in, so if their phone was stolen, they would only lose the money in that account and in addition, there could be many cool new features: 1. Put NFC readers on laptops, and use the public key idea for online shopping 2. Use your public key for door locks, and throw away your keychain *and* your wallet 3. Keep a list of transaction details on the phone, then sync up to Quickbooks at night This technology could be super cool if they did it correctly, but as usual it seems to be implemented in the most half-assed way possible. Did these guy even contact and independent security firm to audit this before release? Did they hire someone like Bruce Shnier to architect it securely in the first place? Or did they just have a couple of MBAs, junior devs, and a few legal people draw something up on a whiteboard?

Bullshit

[walterbyrd]

It's actually just the opposite.

Slashdot publishes google smear stories practically everyday. Including stories with very little credibility, i.e. stories from personal blogs etc.

Lots of good stuff about Google, but . .

[walterbyrd]

Their wallet, checkout, or whatever really does suck. Not just because of security, but because of serious difficulty to setup and use, lack of features, and essentially no help from google.

I have used google wallet, and I have used paypal. Paypal is *far* superior.

I am far from a google hater. I even have some of those weenie google certs in analytics, and google apps. Sadly, Google merchant, and google wallet, are just not worth using.

Google is aware of the many problems with google apps, merchant, wallet, etc. But google only really cares about their bread-and-butter advertising business. Everything else is on a distant back burner. Google services, other than advertising, are things that google employees work on in their spare time - very low priority.

Re:Lots of good stuff about Google, but . .

[Anonymous Coward]

You know Google's failing badly on a project when PayPal has a better product.